Netscape Directory Server Programmer's Guide: Function Reference

Complete Contents
Getting Started
Chapter 1 Understanding Server Plug-Ins
Chapter 2 Writing and Compiling Plug-Ins
Chapter 3 Calling the Front-End API Functions
Chapter 4 Quick Start
Chapter 5 Writing Database Plug-Ins
Chapter 6 Writing Pre/Post-Operation Plug-Ins
Chapter 7 Defining Functions for LDAP Operations
Chapter 8 Defining Functions for Database Operations
Chapter 9 Defining Functions for Authentication
Chapter 10 Writing Entry Store/Fetch Plug-Ins
Chapter 11 Writing Extended Operation Plug-Ins
Chapter 12 Writing Matching Rule Plug-Ins
Chapter 13 Data Type and Structure Reference
Chapter 14 Function Reference
Chapter 15 Parameter Reference
Glossary

slapi_access_allowed()

Determines if a user (who is requesting the current operation) has the access rights to perform an operation on a given entry, attribute, or value.

#include "slapi-plugin.h"
int slapi_access_allowed( Slapi_PBlock *pb, Slapi_Entry *e,
char *attr, struct berval *val, int access );

The function has the following parameters:
pb
Parameter block passed into this function.

e
Entry that you want to check the access rights for.

attr
Attribute that you want to check the access rights for.

val
Pointer to the berval structure containing the value that you want to check the access rights for.

access
Type of access rights that you want to check for (for example, to check for write access, pass SLAPI_ACL_WRITE as the value of this argument).

The value of the access argument can be one of the following:
SLAPI_ACL_ADD
Permission to add a specified entry.

SLAPI_ACL_COMPARE
Permission to compare the specified values of an attribute in an entry.

SLAPI_ACL_DELETE
Permission to delete a specified entry.

SLAPI_ACL_READ
Permission to read a specified attribute.

SLAPI_ACL_SEARCH
Permission to search on a specified attribute or value.

SLAPI_ACL_WRITE
Permission to write a specified attribute or value or to rename a specified entry.

One of the following values:

LDAP_SUCCESS, if the user has the specified rights to the entry, attribute, or value.

LDAP_INSUFFICIENT_ACCESS, if the user does not have the specified rights to the entry, attribute, or value.

One of the following error codes, if a problem occurs:


LDAP_OPERATIONS_ERROR	An error occured while executing the operation. This error can occur if, for example, the type of access rights you've specified are not recognized by the server (in other words, you did not pass a value from the previous table).
LDAP_INVALID_SYNTAX	Invalid syntax was specified. This error can occur if the ACLassociated with an entry, attribute, or value uses the wrong syntax.
LDAP_UNWILLING_TO_PERFORM	The DSA (this directory server) is unable to perform the specified operation. This error can occur if, for example, you are requesting write access to a read-only database.

Description

Call slapi_access_allowed() to determine if a user has access rights to a specified entry, attribute, or value. The function performs this check for users who request the operation that invokes this plug-in.

For example, suppose you are writing a preoperation plug-in for the add operation. You can call this function to determine if users have the proper access rights before they can add an entry to the directory.

As part of the process of determining if the user has access rights, the slapi_access_allowed() function does the following:

Checks to see if the user requesting the operation is the root DN.

If so, the function returns LDAP_SUCCESS. (The root DN has permission to perform any operation.)

Gets information about the operation being requested, the connection to the client, and the back-end database where directory information is stored.

If (for some reason) the function cannot determine which operation is being requested, the function returns LDAP_OPERATIONS_ERROR.

If no connection to a client exists (in other words, if the request for the operation was made by the server or its back-end), the function returns LDAP_SUCCESS. (The server and its back-end are not restricted by access control lists.)

If the back-end database is read-only and the request is checking for write access (SLAPI_ACL_WRITE), the function returns LDAP_UNWILLING_TO_PERFORM.

Determines if the user requesting the operation is attempting to modify his or her own entry.

ACLs can be set up to allow users the rights to modify their own entries. The slapi_access_allowed() function checks for this condition.

© Copyright 1998 Netscape Communications Corporation